CVE-2013-2174

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.

References

http://curl.haxx.se/docs/adv_20130622.html

http://lists.opensuse.org/opensuse-updates/2013-07/msg00013.html

http://rhn.redhat.com/errata/RHSA-2013-0983.html

http://www.debian.org/security/2013/dsa-2713

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/bid/60737

http://www.ubuntu.com/usn/USN-1894-1

https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737

Details

Source: MITRE

Published: 2013-07-31

Updated: 2019-04-22

Type: CWE-119

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:curl:7.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.8.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:haxx:libcurl:7.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.8.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Tenable Plugins

View all (24 total)

IDNameProductFamilySeverity
125003EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1550)NessusHuawei Local Security Checks
critical
91740OracleVM 3.2 : curl (OVMSA-2016-0056)NessusOracleVM Local Security Checks
medium
80662Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)NessusSolaris Local Security Checks
medium
75070openSUSE Security Update : curl / libcurl (openSUSE-SU-2013:1132-1)NessusSuSE Local Security Checks
medium
72053GLSA-201401-14 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
68998Fedora 17 : curl-7.24.0-10.fc17 (2013-11568)NessusFedora Local Security Checks
medium
68948SuSE 11.3 Security Update : curl (SAT Patch Number 7932)NessusSuSE Local Security Checks
medium
68841Oracle Linux 5 / 6 : curl (ELSA-2013-0983)NessusOracle Linux Local Security Checks
medium
67313Fedora 18 : curl-7.27.0-11.fc18 (2013-11574)NessusFedora Local Security Checks
medium
67312Fedora 19 : curl-7.29.0-7.fc19 (2013-11521)NessusFedora Local Security Checks
medium
67242SuSE 10 Security Update : curl (ZYPP Patch Number 8614)NessusSuSE Local Security Checks
medium
67223SuSE 10 Security Update : libcurl4 (ZYPP Patch Number 8618) (BEAST)NessusSuSE Local Security Checks
medium
67222SuSE 10 Security Update : compat-curl2 (ZYPP Patch Number 8621)NessusSuSE Local Security Checks
medium
67221SuSE 11.2 Security Update : curl (SAT Patch Number 7867)NessusSuSE Local Security Checks
medium
67138Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : curl vulnerability (USN-1894-1)NessusUbuntu Local Security Checks
medium
801395cURL/libcURL 'curl_easy_unescape()' Heap Memory Corruption VulnerabilityLog Correlation EngineWeb Clients
medium
6898cURL/libcURL 'curl_easy_unescape()' Heap Memory CorruptionNessus Network MonitorWeb Clients
medium
67010Mandriva Linux Security Advisory : curl (MDVSA-2013:180)NessusMandriva Local Security Checks
medium
66998CentOS 5 / 6 : curl (CESA-2013:0983)NessusCentOS Local Security Checks
medium
66982Scientific Linux Security Update : curl on SL5.x, SL6.x i386/srpm/x86_64 (20130625)NessusScientific Linux Local Security Checks
medium
66981RHEL 5 / 6 : curl (RHSA-2013:0983)NessusRed Hat Local Security Checks
medium
66974Debian DSA-2713-1 : curl - heap overflowNessusDebian Local Security Checks
medium
66968FreeBSD : cURL library -- heap corruption in curl_easy_unescape (01cf67b3-dc3b-11e2-a6cd-c48508086173)NessusFreeBSD Local Security Checks
medium
66967Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : curl (SSA:2013-174-01)NessusSlackware Local Security Checks
medium